Critical Zero-Day in Grandstream VoIP Phones Enables Unauthenticated Remote Code Execution
A severe zero-day vulnerability (CVE-2026-2329) in Grandstream’s GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow (CWE-121), affects the web-based API service on TCP port 80, accessible in default configurations without authentication.
All six models GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 share the same vulnerable firmware (versions up to 1.0.7.79). With a CVSSv4 score of 9.3 (Critical), the vulnerability enables low-complexity attacks from the network, posing significant risks to organizations using these devices for sensitive voice communications.
The issue stems from improper bounds checking in the /cgi-bin/api.values.Get endpoint, where a fixed 64-byte stack buffer (small_buffer) overflows when processing maliciously crafted HTTP POST requests. Exploitation corrupts adjacent stack memory, including the program counter (PC), allowing attackers to execute arbitrary code via return-oriented programming (ROP) chains. Security mitigations like RELRO, stack canaries, and PIE are absent, though the NX bit prevents direct stack execution.
Grandstream released firmware version 1.0.7.81 on January 30, 2026, patching the flaw. Rapid7 developed Metasploit modules for exploitation, including a post-exploitation tool to extract SIP credentials, enabling attackers to intercept calls, conduct toll fraud, or impersonate users. Public proof-of-concept (PoC) code further increases the threat, particularly for exposed devices in finance, government, or small businesses.
Discovered by researcher Stephen Fewer on January 6, 2026, the vulnerability underwent coordinated disclosure, with no reported wild exploitation to date. However, the trivial exploitability makes it attractive to opportunistic attackers and advanced persistent threats (APTs). Mitigation requires immediate firmware updates, network segmentation to isolate VoIP devices, and disabling web interfaces where possible.
Source: https://cyberpress.org/grandstream-gxp1600-rce-exploit/
Grandstream TPRM report: https://www.rankiteo.com/company/grandstream-networks
"id": "gra1771961536",
"linkid": "grandstream-networks",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using Grandstream '
'GXP1600 series VoIP phones '
'(finance, government, small '
'businesses)',
'industry': 'Telecommunications/VoIP',
'name': 'Grandstream',
'type': 'Company'}],
'attack_vector': 'Network',
'data_breach': {'sensitivity_of_data': 'High (enables call interception and '
'fraud)',
'type_of_data_compromised': 'SIP credentials'},
'date_detected': '2026-01-06',
'date_publicly_disclosed': '2026-01-30',
'date_resolved': '2026-01-30',
'description': 'A severe zero-day vulnerability (CVE-2026-2329) in '
'Grandstream’s GXP1600 series VoIP phones allows '
'unauthenticated remote code execution (RCE) with root '
'privileges. The flaw, a stack-based buffer overflow '
'(CWE-121), affects the web-based API service on TCP port 80, '
'accessible in default configurations without authentication. '
'All six models (GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, '
'and GXP1630) share the same vulnerable firmware (versions up '
'to 1.0.7.79). The vulnerability enables low-complexity '
'attacks from the network, posing significant risks to '
'organizations using these devices for sensitive voice '
'communications.',
'impact': {'data_compromised': 'SIP credentials',
'operational_impact': 'Interception of calls, toll fraud, user '
'impersonation',
'systems_affected': 'Grandstream GXP1600 series VoIP phones '
'(GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, '
'GXP1630)'},
'investigation_status': 'Patched',
'lessons_learned': 'Importance of timely firmware updates, network '
'segmentation for IoT/VoIP devices, and disabling '
'unnecessary web interfaces to reduce attack surface.',
'post_incident_analysis': {'corrective_actions': 'Firmware patch to fix '
'bounds checking, removal of '
'unnecessary web interfaces, '
'and network segmentation',
'root_causes': 'Improper bounds checking in the '
'/cgi-bin/api.values.Get endpoint '
'leading to stack-based buffer '
'overflow'},
'recommendations': ['Apply firmware update 1.0.7.81 immediately',
'Segment VoIP devices from the main network',
'Disable web interfaces if not required',
'Monitor for suspicious activity on VoIP networks'],
'references': [{'source': 'Rapid7'},
{'source': 'Coordinated disclosure by Stephen Fewer'}],
'response': {'containment_measures': 'Immediate firmware updates, network '
'segmentation to isolate VoIP devices, '
'disabling web interfaces where possible',
'network_segmentation': 'Recommended',
'remediation_measures': 'Firmware update to version 1.0.7.81'},
'title': 'Critical Zero-Day in Grandstream VoIP Phones Enables '
'Unauthenticated Remote Code Execution',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-2329 (Stack-based buffer overflow in '
'/cgi-bin/api.values.Get endpoint)'}